\section{Password design and use}

\begin{frame}
  \frametitle{}   % Insert frame title between curly braces
  
\begin{center}
Password design and use
\end{center}
 
\end{frame}

\begin{frame}
  \frametitle{Context}   % Insert frame title between curly braces
  
  \begin{itemize}
  \item<1-> A password mechanism has been selected for user authentication
  \item<2-> \textit{Authentication is the process of establishing confidence in the truth of some identity claim.}

   \end{itemize}
 
\end{frame}

\begin{frame}
  \frametitle{Problem}   % Insert frame title between curly braces
  \begin{itemize}
  \item<1-> Passwords can be stolen or guessed
  \item<2-> People need to remember their passwords
  \item<3-> Passwords that are difficult to guess tend to be difficult to remember
  \end{itemize}
  \begin{center}
\includegraphics[scale=.4]{dilbert-password.png} 
\end{center}


\end{frame}

\begin{frame}
  \frametitle{Problem}   % Insert frame title between curly braces
  \begin{itemize}
  \item<1-> Using a single password in many contexts increases the potential scope of damage from password theft
  \item<2-> Using different password in each context increases the difficulty of remembering each one
  \item<3-> Passwords that are recorded can be discovered by someone else
  \end{itemize}

\end{frame}

\begin{frame}
 
  
\begin{center}
\includegraphics[scale=.55]{solution_structure0.png} 
\end{center}

\end{frame}

\begin{frame}

  
\begin{center}
\includegraphics[scale=.55]{solution_structure.png} 
\end{center}

\end{frame}

\begin{frame}
  \frametitle{Solution and Implementation}   % Insert frame title between curly braces
 We need to consider the following factors:
  \begin{itemize}
  \item<1-> Design and definition of passwords
  	\begin{itemize}
		\item Composition
		\item Length range
		\item  Source
	\end{itemize}
  \item<2-> Use of passwords
  	\begin{itemize}
  		\item Lifetime
  		\item Ownership
  		\item Entry
  		\item Authentication period
  	\end{itemize}
  \item<3-> Protection of passwords
  	\begin{itemize}
  		\item Distribution
  		\item Storage
  		\item Transmission
    \end{itemize}
   \end{itemize}
\end{frame}


\begin{frame}
  \frametitle{Case: Norwegian ERM System}   % Insert frame title between curly braces
  We will have a look at an Enterprise Relationship Management system, from one of the leading supplier of accounting and administration software in Norway.
  \\
  \begin{itemize}
  \item<2-> Invoices
  \item<2-> Salary
  \item<2-> Accountancy
  \item<2-> Budget
  \item<2-> CRM
  \item<2-> ...
\end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System}   % Insert frame title between curly braces
\begin{center}
\includegraphics[scale=.4]{SQLtilkopling.png} 
\end{center}

\end{frame}

\begin{frame}
  \frametitle{Design and definition of Passwords - Composition}   % Insert frame title between curly braces
  Bad practise: 
  \begin{itemize}
  \item<2-> \textbf{Do not use:} your account name, word that appears in dictionary, acronyms, alphabetic sequences, numeric sequences, keyboard sequences, titles of books, movies, poems, essays, songs, CD's, names of mythological, legendary, religious or fictional characters, object, race, place or event, words with some or all the letters reversed, conjugation or plurals of words, words with the vowels deleted, only the first or the last character in uppercase, only vowels in uppercase, only consonants in uppercase, personally-related information such as initials, name of family members, birthday, familymember's birthdays, hobbies, interests, job title, publicly shown example of a good password \ldots

  \end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Design and definition of Passwords - Composition}   % Insert frame title between curly braces
  Good practise: 
  \begin{itemize}
  \item<2-> Passwords should be composed from a defined set of ASCII characters
  \item<3-> Include a digit or punctuation
  \item<4-> Choose a phrase or a combination of words
  \item<5-> Allow two words separated by a non-letter non-digit character
  \item<6-> Don't reuse passwords or make only minor variations such as incrementing a digit

  \end{itemize}

\end{frame}


\begin{frame}
  \frametitle{Case: Norwegian ERM System - Composition}   % Insert frame title between curly braces
  \begin{itemize}
  \item<1-> The users of the "time registration application only" entered their username, and no password(!)
  \item<2-> The users of the "salary application" uses a self chosen password.
  \end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Design and definition of Passwords - Length range}   % Insert frame title between curly braces
 \begin{center}
 Length range is the set of acceptable lengths of passwords. An average person can easily remember a maximum of seven items.
\end{center}
  \begin{itemize}
  \item<2-> Minimum length equal or greater than four
  \item<3-> The length range should allow a minimum of 10,000 possible passwords
  \item<4-> A pass phrase longer than the acceptable length should be transformed into a virtual password of acceptable length of storage.
   \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian  ERM System - Length range}   % Insert frame title between curly braces
  \begin{itemize}
  \item<1-> The passwords for the "salary application" are truncated if they are more than 16 characters
  \end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Design and definition of Passwords - Source}   % Insert frame title between curly braces
\begin{center}
Source is the set of acceptable entities that can create or select a valid password from among all acceptable passwords
\end{center}
  \begin{itemize}
  \item<2-> Example of sources: the user, the security officer, a automated password generator
  \item<3-> All passwords that may be included in a new system when it is delivered, transferred or installed should be immediately changed.
 \item<4-> Users who create or change their own personal password should be instructed to follow the good practice in the composition section.
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Use of passwords - Lifetime}   % Insert frame title between curly braces
\begin{center}
Lifetime is the maximum acceptable period of time which a password is valid.
\end{center}
  \begin{itemize}
  \item<2-> Maximum lifetime of one year.
  \item<3-> Password should be replaced quickly if compromise of the password is suspected or confirmed
 \item<4-> Forgotten password should be replaced, not reissued
 \item<5-> The password should be capable of maintaining a record of when a password was created and changed
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Lifetime}   % Insert frame title between curly braces
  \begin{itemize}
  \item<1-> The passwords for the "salary application" never expires
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Use of passwords - Ownership}   % Insert frame title between curly braces
\begin{center}
Ownership is the set of individuals who are authorized to use a password.
\end{center}
  \begin{itemize}
  \item<2-> Passwords used to authenticate identity should be owned only by the individual with that identity.
  \item<3-> Each individual should be responsible for providing protection against loss or disclosure of passwords in their possession.
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Case: ERM System - Ownership}   % Insert frame title between curly braces
  \begin{itemize}
  \item<1-> The users of the "time registration application" don't have a password
  \item<2-> Several applications uses the same "sa" account to connect to the database
  \end{itemize}
\end{frame}


\begin{frame}
  \frametitle{Use of passwords - Entry}   % Insert frame title between curly braces
\begin{center}
Entry is the set of acceptable methods by which a password may be entered by a user for authentication or authorization purposes.
\end{center}
  \begin{itemize}
  \item<2-> The password should be entered in a manner that protects the password from observation.
  \item<3-> User should be allowed more than one attempt to enter a password correctly.
  \item<4-> A maximum of three attempts is considered adequate for typical users of a computer system
  \item<5-> The response to exceeding the maximum numbers of retries can be account lock-down, account suspension for a specified time, or account release by security officer only.
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System  - Entry}   % Insert frame title between curly braces
  \begin{itemize}
  \item<1-> There exist no maximum attempts of entering passwords for "the salary application".
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Use of passwords - Authentication period}   % Insert frame title between curly braces
Authentication period is the maximum acceptable period between any initial authentication process and subsequent re-authentication processes during a single terminal session.
  \begin{itemize}
  \item<2-> Individual passwords should be authenticated each time a claim of identity is made
  \item<3-> A system should have log-on time-outs established. If there is no user activity for a specified period of time (the time-out period) the user is automatically logged off.

  \end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Authentication period}   % Insert frame title between curly braces
  \begin{itemize}
  \item<1-> There exist no time-out functionality for the ERM system.
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Protection of passwords - Distribution}   % Insert frame title between curly braces
\begin{center}
Distribution is the set of acceptable methods for providing (transporting) a new password to its owner(s), and to all places where it will be needed in the information system.
\end{center}
  \begin{itemize}
  \item<2-> For example in a separately-mailed envelope
  \item<3-> Temporary storage during the distribution must be erased.
  \item<4-> Keep a record of time and date of password issuing/generation, and to whom it was distributed, but not the password itself
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Protection of passwords - Storage}   % Insert frame title between curly braces
\begin{center}
Storage is the set of acceptable methods of storing a valid password during its lifetime
\end{center}
  \begin{itemize}
  \item<2-> Only the password mechanism should be able to access the passwords
  \item<3-> Some systems separate the password file from the authorized user file.
  \item<4-> Some systems encrypt the passwords before they are stored.
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Case: ERM System - Storage}   % Insert frame title between curly braces
 The passwords for the Salary application is stored in a table in the database.
 \begin{center}
\includegraphics[scale=.5]{brukerliste.png} 
\end{center}
\end{frame}

\begin{frame}
  \frametitle{Case: ERM System - Storage}   % Insert frame title between curly braces
 Decrypting the encrypted password "ssphlojolqnhlqsjmjngtsrkirrqrmlf".
 \begin{center}
\includegraphics[scale=.3]{sortingpassword.png} 
\end{center}
\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Storage}   % Insert frame title between curly braces
Decryption of the first "password char" - \textbf{r}

\begin{center}
\includegraphics[scale=.3]{constants.png} 
\end{center}

  \begin{itemize}
  \item<2-> We lookup the char \textit{r} and \textit{l} in the UTF8-table.
  \item<3-> $r=114$ and $l=108$
  \item<4-> The decryption function is $(key \: char – constant_{1}) \cdot 16 + (password \: char – constant_{2})$
  \item<5-> $(108 – 104) \cdot 16 + (114 – 102) = 76$
  \item<6-> 76 equals \textbf{L} in the UTF8-table
  \end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Storage}   % Insert frame title between curly braces
Lets have a look at the applications password for connecting to the database
\begin{center}
\includegraphics[scale=.2]{sapassword.png} 
\end{center}
 \begin{itemize}
  \item<2-> The password is stored in the Windows registry as default, on every client machine(!)
  \item<3-> The default password is the name of the software vendor
  \item<4-> The password is stored in plaintext
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Storage}   % Insert frame title between curly braces
Hurray! The password can be encrypted!
\begin{center}
\includegraphics[scale=.5]{sqlkrypt.png} 
\end{center}
\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Storage}   % Insert frame title between curly braces
But \ldots if we "encrypt" \textit{links2007!} several times, this is the result:\\
\begin{center}
\begin{tabular}{|c|c|c|}
\hline Diff 1 & Diff 2 & Diff 3 \\ 
\hline 87yrby\_J\_To!88 & 63n8r3\_RZHE!65 & 58eGaFH33ZU!61 \\ 
\hline 48yrby\_J\_To!49 & 48n8r3\_RZHE!50 & 70eGaFH33ZU!73 \\ 
\hline 45yrby\_J\_To!46 & 88n8r3\_RZHE!90 & 47eGaFH33ZU!50 \\ 
\hline 
\end{tabular} 
\end{center}
\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Storage}   % Insert frame title between curly braces
\begin{center}
\includegraphics[scale=3.5]{code.png} 
\end{center}
\end{frame}

\begin{frame}
  \frametitle{Protection of passwords - Transmission}   % Insert frame title between curly braces
\begin{center}
Transmission is the set of acceptable methods for communication a password from its point of entry to its point of comparison with a stored, valid password
\end{center}
  \begin{itemize}
  \item<2-> The transmission should hold she same level of protection as the system or the data, that the password is protecting
  \item<3-> Unencrypted password should be transmitted as ASCII characters if interchanged between systems, while encrypted passwords and virtual passwords should be transmitted either as 64-bit binary fields, or as the ASCII representation of the hexadecimal character set 
  \end{itemize}
\end{frame}

\begin{frame}
  \frametitle{Case: Norwegian ERM System - Transmission}   % Insert frame title between curly braces
All passwords are transmitted in plain text.
\end{frame}

\begin{frame}
  \frametitle{Consequences}   % Insert frame title between curly braces
The benefits of applying this pattern:
 \begin{itemize}
  \item<2-> Applying this pattern results in increased protection of passwords and consequently higher accuracy of I \& A.
  \item<3-> The potential number of false positives resulting from such things as password guessing is expected to be reduced
  \end{itemize}

\end{frame}

\begin{frame}
  \frametitle{Is this a solution??}   % Insert frame title between curly braces
\begin{center}
The password must be impossible to remember\\ and never written down.[Smith2002]\\

\includegraphics[scale=.3]{dilbert-password3.png} 
\end{center}

\end{frame}